Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

How can I make sense of....

Discussion in 'General Discussion' started by lamp, Nov 29, 2004.

  1. lamp

    lamp Well-Known Member

    Dec 22, 2003
    Likes Received:
    Trophy Points:

    How can I make sense of my LogWatch logs.... What do all of these unmatched entries mean... Is there any docs out there? or has anyone seen these things before.

    For instance I got the following:

    --------------------- courier-mta Begin ------------------------
    **Unmatched Entries**
    Authenticated user=username host=localhost []:
    25 Time(s)
    Logout user=??? domain=??? host=UNKNOWN: 39 Time(s)
    ---------------------- courier-mta End ------------------------- ------

    --------------------- Kernel Begin ------------------------
    Dropped 3317 packets on interface eth0
    From - 2 packets to tcp(5000)
    From - 1 packet to tcp(5000)
    From - 8 packets to tcp(901,901,901,901,901,901,901,901)
    From - 18 packets to tcp(1025,2745,6129,1025,2745,6129)
    .... Hundreds more... (I guess this is APF working...)
    --------------------- Kernel End ------------------------

    --------------------- Named Begin ------------------------
    **Unmatched Entries**
    client error sending response: host unreachable: 160 Time(s)
    client error sending response: host unreachable: 95 Time(s)
    client error sending response: host unreachable: 142 Time(s)
    client error sending response: host unreachable: 1 Time(s)
    ---------------------- Named End ------------------------

    --------------------- proftpd-messages Begin ------------------------
    **Unmatched Entries** ([]) - FTP login timed out, disconnected ([]) - FTP login timed out, disconnected
    ... Hundreds more ...
    --------------------- proftpd-messages End ------------------------

    Thanks (as always)

  2. ctbhost

    ctbhost Well-Known Member

    May 31, 2002
    Likes Received:
    Trophy Points:
    i have simar - and would like to know what they all mean - can someone please advise
  3. picoyak

    picoyak Well-Known Member

    Jun 10, 2004
    Likes Received:
    Trophy Points:
    Far as I can figure...

    Reporting for logwatch is processed via scripts located at /etc/log.d/scripts/services/. When logwatch runs, it process your log files with these scripts and looks for criteria that will match output descriptions.

    For instance, if logwatch was looking through /var/log/messages, then it's looking for things such as 'Connection Refused' or 'Timeout From'. Stuff like that. For each service that logwatch processes, it will look for all messages pertaining to that service.

    So let's say logwatch is processing sshd messages out of /var/log/messages and running them through the script /etc/log.d/scripts/services/sshd. It'll hunt down everything related to sshd in /var/log/messages and process it, then create an output section of the logwatch message based on the rules in that script. Now if there are items in /var/log/messages that have no description defined in the sshd script then those are reported as Unmatched Entries. They may be things you want to look closer at, or they may be things that you want to add a custom filter in for logwatch to parse or not report at all.

    Personally I haven't bothered with customizing logwatch output or filtering. Dunno whether that's good or bad. I'd love to hear other opinions on that myself :)

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice